Vulnerability allowed code execution via PayPal confirmation emails
German security researcher Benjamin Kunz Mejri has identified a vulnerability in PayPal’s account system that could allow malicious code to be sent via confirmation emails. He reported this through the bug bounty program.
To send the malicious emails, Mejri used an existing PayPal account. The vulnerability consisted in that he could enter arbitrary code in the field where the name of the account holder should be. For that it was necessary to first bypass a filter. He then took advantage of the feature to share a PayPal account with others by adding several email addresses.
The entered addresses were therefore sent an e-mail, in which they were asked to confirm the addition. When the user opened the email, the malicious code was executed from PayPal’s servers.
This made it possible to carry out phishing attacks, among other things, with the advantage that the emails came from the official PayPal domain. Session hijacking and redirection to other pages were also possible. The vulnerability was removed at the beginning of March and Mejri received 1000 dollars for his report, which is converted to 880 euros.